Posts on this page:

Managing Online Responders (OCSP) with PowerShell (part 3)

In the previous post we explored the techniques used to create a common revocation configuration for use with Enterprise CA.

Today we will discover another option, when you create revocation configuration for external (Standalone or 3rd party) CA. Steps to create such configurations are almost the same and differ only in certain parts.

Creating revocation configuration for Standalone CA

Consider the following scenario: you have a Standalone CA which is not connected to a network. You need to create revocation configuration for this CA. Signing certificate is issued (out of band) from that CA.

Read more →

Managing Online Responders (OCSP) with PowerShell (part 2)

Hello folks, sorry for delayed post, one of my SSD disk suddenly dead and I was busy with data recovery.

In the previous post we discovered main interfaces and methods to retrieve Online Responder array settings and revocation configurations. Today we will learn how to use them to delete existing revocation configuration and add a new one.

Deleting existing revocation configuration

In the previous post you noticed that my OCSP server has configured one revocation configuration named “test”. Consider when we don’t need this particular configuration (say, associated CA was decommissioned). We can delete it by calling IOCSPCAConfigurationCollection::DeleteCAConfiguration method and applying changes by calling IOCSPAdmin::SetConfiguration method.

Read more →

Managing Online Responders (OCSP) with PowerShell (part 1)

Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.

Underlying API

Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:

Getting basic information

At first we will start with service availability by calling IOCSPAdmin.Ping method:

Read more →

OCSP Client Tool — advanced stuff

Hello S-1-1-0 again, I'm back!

In the first part we discovered basic OCSP requests and responses. Today's stories:

  • Nonce
  • Service Locator


By default, Online Responder may pre-cache OCSP response for particular certificate, especially if the certificate is used very frequently (for example, SSL certificate at until it (response) is expired. This reduces server load, because there is no need to sign the same response for each incoming request. And this behavior is recommended by RFC5019. Here is an example for StartSSL/StartCom SSL certificate:

Read more →

OCSP Client Tool

Hello folks, PowerShell Crypto Guy is again on the board! Today I want to talk about a useful OCSP Client Tool which is available in my PowerShell PKI module.

A long time ago in a galaxy far, far away....

A time ago I started Online Responder deployment and was faced the problem that there are no good tools to test it's configuration and how it works. PKIView.msc and certutil.exe just can tell whether the OCSP is functional or not. No details about request and/or response details. After a little research I found pretty useful and nice tool called Ascertia OCSP Client Tool. Actually this is a great tool with a lot of powerful features, including raw ASN.1 traces and so on. I thought that it is worth to buy the tool and contacted their sellers. Holy ****, the price killed me. They asked about 1,800 (1.8k) euros for a single license! Even though the tool is very cool, I wasn't ready to spend such money for it. But, if you manage Lorne Greene or Johnny Cash, then Ascertia's product may be for you.

Read more →